A FORENSIC PERSPECTIVE ON THE USE OF EVENT VIEWER FOR DETECTING MALICIOUS ACTIVITIES AND ENSURING SYSTEM INTEGRITY
DOI:
https://doi.org/10.29121/shodhkosh.v5.i1.2024.5975Keywords:
Digital Forensics, Event Viewer, Windows Logs, XML Storage, System Integrity, Malware Detection, Log Analysis, Timeline Reconstruction, Cyber-security, Incident ResponseAbstract [English]
Event Viewer is a vital tool embedded within Microsoft Windows that records a wide range of system, security, and application-related events. For forensic investigators, these logs are crucial in identifying signs of malicious activities, reconstructing timelines, and maintaining system integrity. This paper highlights the role of Event Viewer in digital forensics, discussing how specific logs from various categories—Application, Security, Setup, System, and Forwarded Events—can be extracted, parsed, and stored in XML format for in-depth analysis. Furthermore, the paper proposes a structured XML-based data model for efficient forensic storage and analysis, compares it with other log management approaches, and demonstrates its effectiveness in digital investigations.
References
Garfinkel, S. (2010). Digital forensics XML and structured storage. Digital Investigation.
Casey, E. (2011). Digital evidence and computer crime. Academic Press.
Mitropoulos, S., Karakoidas, V., Spinellis, D., & Louridas, P. (2019). Real-time event log analysis. IEEE Access.
Microsoft Docs. (2020). Event Viewer documentation. https://learn.microsoft.com
SANS Institute. (2022). Event log analysis. https://www.sans.org/white-papers/event-log-analysis/
Carrier, B. (2005). File system forensic analysis. Addison-Wesley.
Altheide, C., & Carvey, H. (2011). Digital forensics with open source tools. Syngress. DOI: https://doi.org/10.1016/B978-1-59749-586-8.00001-7
Reith, M., Carr, C., & Gunsch, G. (2002). An examination of digital forensic models. International Journal of Digital Evidence, 1(3).
National Institute of Standards and Technology. (2006). Guide to integrating forensic techniques into incident response (SP 800-86). https://csrc.nist.gov/publications/detail/sp/800-86/final
CrowdStrike. (2023). Endpoint detection and log management. https://www.crowdstrike.com
IBM X-Force. Event log analysis case studies. https://www.ibm.com/security/xforce
Mandia, K., Prosise, C., & Pepe, M. (2003). Incident response & computer forensics. McGraw-Hill.
Microsoft. (2023). LogParser tool documentation. https://learn.microsoft.com/en-us/sql/tools/logparser
Zimmerman, E.. EvtxECmd documentation. https://ericzimmerman.github.io
National Cyber Security Centre (UK). (2023). Windows event logging guidance. https://www.ncsc.gov.uk
Stallings, W. (2019). Computer security: Principles and practice. Pearson.
Kaspersky Labs. (2023). Best practices for log analysis. https://www.kaspersky.com
Sophos. (2022). Investigating Windows logs during threat hunts. https://www.sophos.com
AlienVault Labs. (2023). Log correlation techniques. https://cybersecurity.att.com
Patel, P. C. (2013). Aggregation of digital forensics evidences. Int J Comput Trends Technol (IJCTT), 4(4), 881-884.
Downloads
Published
How to Cite
Issue
Section
License
Copyright (c) 2024 Premal Patel, Pina M. Bhatt, Umang Parmar, Keval Bhavsar
This work is licensed under a Creative Commons Attribution 4.0 International License.
With the licence CC-BY, authors retain the copyright, allowing anyone to download, reuse, re-print, modify, distribute, and/or copy their contribution. The work must be properly attributed to its author.
It is not necessary to ask for further permission from the author or journal board.
This journal provides immediate open access to its content on the principle that making research freely available to the public supports a greater global exchange of knowledge.
